SILENTTRINITY
SILENTTRINITY copied to clipboard
Published
20 hours ago •
byt3bl33d3r
byt3bl33d3r
Dynamically compile & obfuscate the C# stager server side ala Covenant/SharpGen
I installed .NET core the other day on MacOS and it seems to be pretty straight forward. Plus there seems to be packages for it for almost every *nix os that I'd ever use (including Arch!).
mono ~/Development/Confuser/ConfuserEx/Confuser.CLI.exe Confuser.crproj [±module/boo/screenshot ●]
[INFO] Confuser.Core 1.1.0+a36320377a Copyright © 2014 Ki, 2018 Martin Karing
[INFO] Running on Unix 4.9.0.8, 5.16.0.220 (tarball Wed Jan 2 21:11:29 UTC 2019), 64 bits
[DEBUG] Discovering plugins...
[INFO] Discovered 10 protections, 1 packers.
[DEBUG] Resolving component dependency...
[INFO] Loading input modules...
[INFO] Loading 'SILENTTRINITY_DLL.dll'...
[INFO] Initializing...
[DEBUG] Building pipeline...
[INFO] Resolving dependencies...
[DEBUG] Checking Strong Name...
[DEBUG] Creating global .cctors...
[DEBUG] Watermarking...
[DEBUG] Executing 'Name analysis' phase...
[DEBUG] Building VTables & identifier list...
[DEBUG] Analyzing...
[ERROR] Failed to resolve a type, check if all dependencies are present in the correct version.
Exception: dnlib.DotNet.TypeResolveException: Could not resolve type: System.Security.Cryptography.ECDiffieHellmanCng (System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089)
at dnlib.DotNet.TypeRef.ResolveThrow (dnlib.DotNet.ModuleDef sourceModule) [0x00023] in <aa81463b59dc4f169fafd35d5a5c2482>:0
at dnlib.DotNet.TypeRef.ResolveThrow () [0x00000] in <aa81463b59dc4f169fafd35d5a5c2482>:0
at dnlib.DotNet.Extensions.ResolveTypeDefThrow (dnlib.DotNet.ITypeDefOrRef tdr) [0x00016] in <aa81463b59dc4f169fafd35d5a5c2482>:0
at Confuser.Renamer.Analyzers.InterReferenceAnalyzer.ProcessMemberRef (Confuser.Core.ConfuserContext context, Confuser.Renamer.INameService service, dnlib.DotNet.ModuleDefMD module, dnlib.DotNet.IMemberRef r) [0x0003a] in <40d4803a89d4400cae70fea3f60b796e>:0
at Confuser.Renamer.Analyzers.InterReferenceAnalyzer.Analyze (Confuser.Core.ConfuserContext context, Confuser.Renamer.INameService service, Confuser.Core.ProtectionParameters parameters, dnlib.DotNet.IDnlibDef def) [0x000d8] in <40d4803a89d4400cae70fea3f60b796e>:0
at Confuser.Renamer.AnalyzePhase.Analyze (Confuser.Renamer.NameService service, Confuser.Core.ConfuserContext context, Confuser.Core.ProtectionParameters parameters, dnlib.DotNet.IDnlibDef def, System.Boolean runAnalyzer) [0x000e8] in <40d4803a89d4400cae70fea3f60b796e>:0
at Confuser.Renamer.AnalyzePhase.Execute (Confuser.Core.ConfuserContext context, Confuser.Core.ProtectionParameters parameters) [0x0013f] in <40d4803a89d4400cae70fea3f60b796e>:0
at Confuser.Core.ProtectionPipeline.ExecuteStage (Confuser.Core.PipelineStage stage, System.Action`1[T] func, System.Func`1[TResult] targets, Confuser.Core.ConfuserContext context) [0x000eb] in <a79b6faf4ca74b6e9910d6d31f294fda>:0
at Confuser.Core.ConfuserEngine.RunPipeline (Confuser.Core.ProtectionPipeline pipeline, Confuser.Core.ConfuserContext context) [0x00050] in <a79b6faf4ca74b6e9910d6d31f294fda>:0
at Confuser.Core.ConfuserEngine.RunInternal (Confuser.Core.ConfuserParameters parameters, System.Threading.CancellationToken token) [0x00419] in <a79b6faf4ca74b6e9910d6d31f294fda>:0
[ERROR] ---BEGIN DEBUG INFO---
[ERROR] Installed Framework Versions:
Failed at 11:16 PM, 0:00 elapsed.
Unhandled Exception:
System.AggregateException: One or more errors occurred. ---> System.NotImplementedException: The method or operation is not implemented.
at Microsoft.Win32.UnixRegistryApi.OpenRemoteBaseKey (Microsoft.Win32.RegistryHive hKey, System.String machineName) <0x7f04684a10e0 + 0x00012> in <0f8aeac9d63d4b8aa575761bb4e65b79>:0
at Microsoft.Win32.RegistryKey.OpenRemoteBaseKey (Microsoft.Win32.RegistryHive hKey, System.String machineName) <0x7f046849e5a0 + 0x0003a> in <0f8aeac9d63d4b8aa575761bb4e65b79>:0
at Confuser.Core.ConfuserEngine+<GetFrameworkVersions>d__17.MoveNext () [0x0002f] in <a79b6faf4ca74b6e9910d6d31f294fda>:0
at Confuser.Core.ConfuserEngine.PrintEnvironmentInfo (Confuser.Core.ConfuserContext context) [0x0005c] in <a79b6faf4ca74b6e9910d6d31f294fda>:0
at Confuser.Core.ConfuserEngine.RunInternal (Confuser.Core.ConfuserParameters parameters, System.Threading.CancellationToken token) [0x0045b] in <a79b6faf4ca74b6e9910d6d31f294fda>:0
at Confuser.Core.ConfuserEngine+<>c__DisplayClass3_0.<Run>b__0 () [0x00011] in <a79b6faf4ca74b6e9910d6d31f294fda>:0
at System.Threading.Tasks.Task.InnerInvoke () <0x7f046866d8e0 + 0x00032> in <0f8aeac9d63d4b8aa575761bb4e65b79>:0
at System.Threading.Tasks.Task.Execute () <0x7f046866d720 + 0x00012> in <0f8aeac9d63d4b8aa575761bb4e65b79>:0
--- End of inner exception stack trace ---
at System.Threading.Tasks.Task.Wait (System.Int32 millisecondsTimeout, System.Threading.CancellationToken cancellationToken) <0x7f046866dda0 + 0x000e3> in <0f8aeac9d63d4b8aa575761bb4e65b79>:0
at System.Threading.Tasks.Task.Wait () <0x7f046866dce0 + 0x0000c> in <0f8aeac9d63d4b8aa575761bb4e65b79>:0
at Confuser.CLI.Program.RunProject (Confuser.Core.ConfuserParameters parameters) [0x00026] in <6e1908ce4e94462ba922fb6c794bae7a>:0
at Confuser.CLI.Program.Main (System.String[] args) [0x00385] in <6e1908ce4e94462ba922fb6c794bae7a>:0
---> (Inner Exception #0) System.NotImplementedException: The method or operation is not implemented.
at Microsoft.Win32.UnixRegistryApi.OpenRemoteBaseKey (Microsoft.Win32.RegistryHive hKey, System.String machineName) <0x7f04684a10e0 + 0x00012> in <0f8aeac9d63d4b8aa575761bb4e65b79>:0
at Microsoft.Win32.RegistryKey.OpenRemoteBaseKey (Microsoft.Win32.RegistryHive hKey, System.String machineName) <0x7f046849e5a0 + 0x0003a> in <0f8aeac9d63d4b8aa575761bb4e65b79>:0
at Confuser.Core.ConfuserEngine+<GetFrameworkVersions>d__17.MoveNext () [0x0002f] in <a79b6faf4ca74b6e9910d6d31f294fda>:0
at Confuser.Core.ConfuserEngine.PrintEnvironmentInfo (Confuser.Core.ConfuserContext context) [0x0005c] in <a79b6faf4ca74b6e9910d6d31f294fda>:0
at Confuser.Core.ConfuserEngine.RunInternal (Confuser.Core.ConfuserParameters parameters, System.Threading.CancellationToken token) [0x0045b] in <a79b6faf4ca74b6e9910d6d31f294fda>:0
at Confuser.Core.ConfuserEngine+<>c__DisplayClass3_0.<Run>b__0 () [0x00011] in <a79b6faf4ca74b6e9910d6d31f294fda>:0
at System.Threading.Tasks.Task.InnerInvoke () <0x7f046866d8e0 + 0x00032> in <0f8aeac9d63d4b8aa575761bb4e65b79>:0
at System.Threading.Tasks.Task.Execute () <0x7f046866d720 + 0x00012> in <0f8aeac9d63d4b8aa575761bb4e65b79>:0 <---
[ERROR] FATAL UNHANDLED EXCEPTION: System.AggregateException: One or more errors occurred. ---> System.NotImplementedException: The method or operation is not implemented.
at Microsoft.Win32.UnixRegistryApi.OpenRemoteBaseKey (Microsoft.Win32.RegistryHive hKey, System.String machineName) <0x7f04684a10e0 + 0x00012> in <0f8aeac9d63d4b8aa575761bb4e65b79>:0
at Microsoft.Win32.RegistryKey.OpenRemoteBaseKey (Microsoft.Win32.RegistryHive hKey, System.String machineName) <0x7f046849e5a0 + 0x0003a> in <0f8aeac9d63d4b8aa575761bb4e65b79>:0
at Confuser.Core.ConfuserEngine+<GetFrameworkVersions>d__17.MoveNext () [0x0002f] in <a79b6faf4ca74b6e9910d6d31f294fda>:0
at Confuser.Core.ConfuserEngine.PrintEnvironmentInfo (Confuser.Core.ConfuserContext context) [0x0005c] in <a79b6faf4ca74b6e9910d6d31f294fda>:0
at Confuser.Core.ConfuserEngine.RunInternal (Confuser.Core.ConfuserParameters parameters, System.Threading.CancellationToken token) [0x0045b] in <a79b6faf4ca74b6e9910d6d31f294fda>:0
at Confuser.Core.ConfuserEngine+<>c__DisplayClass3_0.<Run>b__0 () [0x00011] in <a79b6faf4ca74b6e9910d6d31f294fda>:0
at System.Threading.Tasks.Task.InnerInvoke () <0x7f046866d8e0 + 0x00032> in <0f8aeac9d63d4b8aa575761bb4e65b79>:0
at System.Threading.Tasks.Task.Execute () <0x7f046866d720 + 0x00012> in <0f8aeac9d63d4b8aa575761bb4e65b79>:0
--- End of inner exception stack trace ---
at System.Threading.Tasks.Task.Wait (System.Int32 millisecondsTimeout, System.Threading.CancellationToken cancellationToken) <0x7f046866dda0 + 0x000e3> in <0f8aeac9d63d4b8aa575761bb4e65b79>:0
at System.Threading.Tasks.Task.Wait () <0x7f046866dce0 + 0x0000c> in <0f8aeac9d63d4b8aa575761bb4e65b79>:0
at Confuser.CLI.Program.RunProject (Confuser.Core.ConfuserParameters parameters) [0x00026] in <6e1908ce4e94462ba922fb6c794bae7a>:0
at Confuser.CLI.Program.Main (System.String[] args) [0x00385] in <6e1908ce4e94462ba922fb6c794bae7a>:0
---> (Inner Exception #0) System.NotImplementedException: The method or operation is not implemented.
at Microsoft.Win32.UnixRegistryApi.OpenRemoteBaseKey (Microsoft.Win32.RegistryHive hKey, System.String machineName) <0x7f04684a10e0 + 0x00012> in <0f8aeac9d63d4b8aa575761bb4e65b79>:0
at Microsoft.Win32.RegistryKey.OpenRemoteBaseKey (Microsoft.Win32.RegistryHive hKey, System.String machineName) <0x7f046849e5a0 + 0x0003a> in <0f8aeac9d63d4b8aa575761bb4e65b79>:0
at Confuser.Core.ConfuserEngine+<GetFrameworkVersions>d__17.MoveNext () [0x0002f] in <a79b6faf4ca74b6e9910d6d31f294fda>:0
at Confuser.Core.ConfuserEngine.PrintEnvironmentInfo (Confuser.Core.ConfuserContext context) [0x0005c] in <a79b6faf4ca74b6e9910d6d31f294fda>:0
at Confuser.Core.ConfuserEngine.RunInternal (Confuser.Core.ConfuserParameters parameters, System.Threading.CancellationToken token) [0x0045b] in <a79b6faf4ca74b6e9910d6d31f294fda>:0
at Confuser.Core.ConfuserEngine+<>c__DisplayClass3_0.<Run>b__0 () [0x00011] in <a79b6faf4ca74b6e9910d6d31f294fda>:0
at System.Threading.Tasks.Task.InnerInvoke () <0x7f046866d8e0 + 0x00032> in <0f8aeac9d63d4b8aa575761bb4e65b79>:0
at System.Threading.Tasks.Task.Execute () <0x7f046866d720 + 0x00012> in <0f8aeac9d63d4b8aa575761bb4e65b79>:0 <---
I think the project should be migrated to netcore (https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.ecdiffiehellmancng?view=netcore-2.1)
After trying to find a workaround, ConfuserEx won't work right now because ConfuserEx has to resolve all dependencies of the assembly to work properly. System.Security.Cryptography.ECDiffieHellmanCng is only available on Windows right now.
I'm testing an Elliptic-curve Diffie–Hellman Key Exchange Algorithm implementation using BouncyCastle. Here's the branch https://github.com/davidtavarez/SILENTTRINITY/tree/breaking/diffie-hellman
I was able to obfuscate the exe using the ConfuserEX cli with this configuration:
<project baseDir="bin/Release/" outputDir="Obfuscated" xmlns="http://confuser.codeplex.com">
<module path="SILENTTRINITY.exe">
<rule pattern="true" inherit="false">
<protection id="anti debug" />
<!--<protection id="anti dump" /> -->
<protection id="anti ildasm" />
<!-- <protection id="anti tamper" /> -->
<protection id="constants" />
<protection id="ctrl flow" />
<!-- <protection id="invalid metadata" /> -->
<protection id="ref proxy" />
<protection id="rename" />
<protection id="resources" />
</rule>
</module>
<probePath>/usr/lib/mono/4.0/</probePath>
<probePath>/usr/lib/mono/4.0-api/</probePath>
</project>
$ dotnet Confuser.CLI.dll Confuser.crproj
info: core[0]
Discovered 13 protections, 1 packers.
info: core[0]
Confuser.Core 2.0.0-alpha.179+d7f6621dfb Copyright © 2018 - 2019 Martin Karing
info: core[0]
Running on Unix 4.9.0.8, .NET Framework v4.0.30319.42000, 64 bits
info: core[0]
Loading input modules...
info: core[0]
Loading 'SILENTTRINITY.exe'...
info: core[0]
Resolving dependencies...
info: core[0]
Processing module 'SILENTTRINITY.exe'...
info: core[0]
Writing module 'SILENTTRINITY.exe'...
info: core[0]
Finalizing...
info: core[0]
Done.
Press any key to continue…
It seems to be working
$ mono SILENTTRINITY.exe
Usage: SILENTTRINITY.exe <URL> [<STAGE_URL>]
Also SILENTTRINITY can be build using msbuild from Linux, MacOS and Windows without the ECDiffieHellmanCng dependency.